
rule EXPL_Shitrix_Exploit_Code_Jan20_1 : FILE {
   meta:
      description = "Detects payloads used in Shitrix exploitation CVE-2019-19781"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://isc.sans.edu/forums/diary/Citrix+ADC+Exploits+Overview+of+Observed+Payloads/25704/"
      date = "2020-01-13"
      score = 70
      id = "7fab3a9b-82a5-573a-b210-2ae65f1a7f24"
   strings:
      $s01 = "/netscaler/portal/scripts/rmpm.pl" ascii
      $s02 = "tee /netscaler/portal/templates/" ascii
      $s03 = "exec(\\'(wget -q -O- http://" ascii
      $s04 = "cd /netscaler/portal; ls" ascii
      $s05 = "cat /flash/nsconfig/ns.conf" ascii
      $s06 = "/netscaler/portal/scripts/PersonalBookmak.pl" ascii
      $s07 = "template.new({'BLOCK'='print readpipe(" ascii /* TrustedSec templae */
      $s08 = "pwnpzi1337" fullword ascii /* PZI india static user name */
      $s09 = "template.new({'BLOCK'=" /* PZI exploit URL decoded form */
      $s10 = "template.new({'BLOCK'%3d" /* PZI exploit URl encoded form */
      $s11 = "my ($citrixmd, %FORM);" /* Perl backdoor */
      $s12 = "(CMD, \"($citrixmd) 2>&1" /* Perl backdoor */

      $b1 = "NSC_USER:" ascii nocase /* https://twitter.com/ItsReallyNick/status/1217308463174496256 */
      $b2 = "NSC_NONCE:" ascii nocase /* https://twitter.com/ItsReallyNick/status/1217308463174496256 */
      $b3 = "/../" ascii
   condition:
      1 of ($s*) or all of ($b*)
}
